6848 matches found
BNAT Router
This module will properly route BNAT traffic and allow for connections to be established to machines on ports which might not otherwise be accessible. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
Windows Gather Credential Collector
This module harvests credentials found on the host and stores them in the database. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather Credential Collector', 'Description' = %q This...
Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow
This module exploits a stack buffer overflow in process bcaaa-130.exe port 16102, which comes as part of the Blue Coat Authentication proxy. Please note that by default, this exploit will attempt up to three times in order to successfully gain remote code execution in some cases, it takes as many...
Black Ice Cover Page ActiveX Control Arbitrary File Download
This module allows remote attackers to place arbitrary files on a users file system by abusing the "DownloadImageFileURL" method in the Black Ice BIImgFrm.ocx ActiveX Control BIImgFrm.ocx 12.0.0.0. Code execution can be achieved by first uploading the payload to the remote machine, and then uploa...
Windows Escalate Locked Desktop Unlocker
This module unlocks a locked Windows desktop by patching the respective code inside the LSASS.exe process. This patching process can result in the target system hanging or even rebooting, so be careful when using this module on production systems. This module requires Metasploit:...
IPv6 Local Neighbor Discovery
Enumerate local IPv6 hosts which respond to Neighbor Solicitations with a link-local address. Note, that like ARP scanning, this usually cannot be performed beyond the local broadcast network. This module requires Metasploit: https://metasploit.com/download Current source:...
Java Statement.invoke() Trusted Method Chain Privilege Escalation
This module exploits a vulnerability in Java Runtime Environment that allows an untrusted method to run in a privileged context. The vulnerability affects version 6 prior to update 19 and version 5 prior to update 23. This module requires Metasploit: https://metasploit.com/download Current source...
JBoss Vulnerability Scanner
This module scans a JBoss instance for a few vulnerabilities. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'JBoss Vulnerability Scanner', 'Description' = %q This module scans a JBoss instance...
UltraISO CCD File Parsing Buffer Overflow
This module exploits a stack-based buffer overflow in EZB Systems, Inc's UltraISO. When processing .CCD files, data is read from file into a fixed-size stack buffer. Since no bounds checking is done, a buffer overflow can occur. Attackers can execute arbitrary code by convincing their victim to...
Oracle DB SQL Injection via SYS.LT.ROLLBACKWORKSPACE
This module exploits a sql injection flaw in the ROLLBACKWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability. This module requires Metasploit: https://metasploit.com/download Current source:...
PHP Executable Download and Execute
Download an EXE from an HTTP URL and execute it This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Php include Msf::Payload::Single def initializeinfo =...
Veritas Backup Exec Server Registry Access
This modules exploits a remote registry access flaw in the BackupExec Windows Server RPC service. This vulnerability was discovered by Pedram Amini and is based on the NDR stub information posted to openrce.org. Please see the action list for the different attack modes. This module requires...
MaxDB WebDBM Database Parameter Overflow
This module exploits a stack buffer overflow in the MaxDB WebDBM service. By sending a specially-crafted HTTP request that contains an overly long database name. A remote attacker could overflow a buffer and execute arbitrary code on the system with privileges of the wahttp process. This module h...
Unix Command Shell, Bind TCP (inetd)
Listen for a connection and spawn a command shell persistent This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 487 include Msf::Payload::Single include...
Jira Users Enumeration
This module exploits an information disclosure vulnerability that allows an unauthenticated user to enumerate users in the /ViewUserHover.jspa endpoint. This only affects Jira versions use auxiliary/scanner/http/jirauserenum msf auxiliaryjirauserenum show actions ...actions... msf...
Baldr Botnet Panel Shell Upload Exploit
This module exploits an arbitrary file upload vulnerability within the Baldr stealer malware control panel when uploading victim log files which are uploaded as ZIP files. Attackers can turn this vulnerability into an RCE by first registering a new bot to the panel and then uploading a ZIP file...
Install Python for Windows
This module places an embeddable Python3 distribution onto the target file system, granting pentesters access to a lightweight Python interpreter. This module does not require administrative privileges or user interaction with installation prompts. This module requires Metasploit:...
Barco WePresent file_transfer.cgi Command Injection
This module exploits an unauthenticated remote command injection vulnerability found in Barco WePresent and related OEM'ed products. The vulnerability is triggered via an HTTP POST request to the filetransfer.cgi endpoint. This module requires Metasploit: https://metasploit.com/download Current...
FusionPBX Operator Panel exec.php Command Execution
This module exploits an authenticated command injection vulnerability in FusionPBX versions 4.4.3 and prior. The exec.php file within the Operator Panel permits users with operatorpanelview permissions, or administrator permissions, to execute arbitrary commands as the web server user by sending ...
Nostromo Directory Traversal Remote Command Execution
This module exploits a remote command execution vulnerability in Nostromo 'Nostromo Directory Traversal Remote Command Execution', 'Description' = %q This module exploits a remote command execution vulnerability in Nostromo 'Quentin Kaiser ', metasploit module 'sp0re', original public exploit ,...
AIS logistics ESEL-Server Unauth SQL Injection RCE
This module will execute an arbitrary payload on an "ESEL" server used by the AIS logistic software. The server typically listens on port 5099 without TLS. There could also be server listening on 5100 with TLS but the port 5099 is usually always open. The login process is vulnerable to an SQL...
Unitronics PCOM Client
Unitronics Vision PLCs allow unauthenticated PCOM commands to query PLC registers. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Unitronics PCOM Client', 'Description' = %q Unitronics Vision...
Morris Worm sendmail Debug Mode Shell Escape
This module exploits sendmail's well-known historical debug mode to escape to a shell and execute commands in the SMTP RCPT TO command. This vulnerability was exploited by the Morris worm in 1988-11-02. Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg. Currently, only...
Apple_iOS Meterpreter, Reverse HTTP Inline
Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 643824 include...
Windows Gather PureVPN Client Credential Collector
Finds the password stored for the PureVPN Client. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather PureVPN Client Credential Collector', 'Description' = %q Finds the password stor...
WebKitGTK+ WebKitFaviconDatabase DoS
This module exploits a vulnerability in WebKitFaviconDatabase when pageURL is unset. If successful, it could lead to application crash, resulting in denial of service. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
Memcached Stats Amplification Scanner
This module can be used to discover Memcached servers which expose the unrestricted UDP port 11211. A basic "stats" request is executed to check if an amplification attack is possible against a third party. This module requires Metasploit: https://metasploit.com/download Current source:...
Cambium ePMP 1000 'get_chart' Command Injection (v3.1-3.5-RC7)
This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000 v3.1-3.5-RC7 device management portal. It requires any one of the following login credentials - admin/admin, installer/installer, home/home - to execute arbitrary system commands. This module requires Metasploit:...
Linux Meterpreter, Reverse HTTP Inline
Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1622448 include...
Linux Meterpreter, Reverse HTTPS Inline
Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1622448 include...
Polycom Shell HDX Series Traceroute Command Execution
Within Polycom command shell, a command execution flaw exists in lan traceroute, one of the dev commands, which allows for an attacker to execute arbitrary payloads with telnet or openssl. This module requires Metasploit: https://metasploit.com/download Current source:...
Linux Meterpreter, Reverse HTTP Inline
Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1166612 include...
OrientDB 2.2.x Remote Code Execution
This module leverages a privilege escalation on OrientDB to execute unsandboxed OS commands. All versions from 2.2.2 up to 2.2.22 should be vulnerable. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
Apache Struts 2 Struts 1 Plugin Showcase OGNL Code Execution
This module exploits a remote code execution vulnerability in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series. Remote Code Execution can be performed via a malicious field value. This module requires Metasploit: https://metasploit.com/download Current source:...
Jboss Credential Collector
This module can be used to extract the Jboss admin passwords for version 4,5 and 6. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'nokogiri' class MetasploitModule 'Jboss Credential Collector', 'Description'...
Binom3 Web Management Login Scanner, Config and Password File Dump
This module scans for Binom3 Multifunctional Revenue Energy Meter and Power Quality Analyzer management login portals, and attempts to identify valid credentials. There are four 4 default accounts - 'root'/'root', 'admin'/'1', 'alg'/'1', 'user'/'1'. In addition to device config, 'root' user can...
TrueOnline / ZyXEL P660HN-T v1 Router Unauthenticated Command Injection
TrueOnline is a major ISP in Thailand, and it distributes a customized version of the ZyXEL P660HN-T v1 router. This customized version has an unauthenticated command injection vulnerability in the remote log forwarding page. This module was tested in an emulated environment, as the author doesn'...
DLL Side Loading Vulnerability in VMware Host Guest Client Redirector
A DLL side loading vulnerability was found in the VMware Host Guest Client Redirector, a component of VMware Tools. This issue can be exploited by luring a victim into opening a document from the attacker's share. An attacker can exploit this issue to execute arbitrary code with the privileges of...
Ruby on Rails ActionPack Inline ERB Code Execution
This module exploits a remote code execution vulnerability in the inline request processor of the Ruby on Rails ActionPack component. This vulnerability allows an attacker to process ERB to the inline JSON processor, which is then rendered, permitting full RCE within the runtime, without logging ...
Watchguard XCS Remote Command Execution
This module exploits two separate vulnerabilities found in the Watchguard XCS virtual appliance to gain command execution. By exploiting an unauthenticated SQL injection, a remote attacker may insert a valid web user into the appliance database, and get access to the web interface. On the other...
Windows Gather Active Directory Groups
This module will enumerate AD groups on the specified domain. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather Active Directory Groups', 'Description' = %q This module will...
Android Screen Capture
This module takes a screenshot of the target phone. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Android Screen Capture', 'Description' = %q This module takes a screenshot of the target phon...
Windows Meterpreter (Reflective Injection), Hidden Bind Ipknock TCP Stager
Inject the Meterpreter server DLL via the Reflective Dll Injection payload staged. Requires Windows XP SP2 or newer. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method you can spoof it with tools like hping...
HTTP SSL/TLS Version Detection (POODLE scanner)
Check if an HTTP server supports a given version of SSL/TLS. If a web server can successfully establish an SSLv3 session, it is likely to be vulnerable to the POODLE attack described on October 14, 2014, as a patch against the attack is unlikely...
Adobe Flash Player Type Confusion Remote Code Execution
This module exploits a type confusion vulnerability found in the ActiveX component of Adobe Flash Player. This vulnerability was found exploited in the wild in November 2013. This module has been tested successfully on IE 6 to IE 10 with Flash 11.7, 11.8 and 11.9 prior to 11.9.900.170 over Window...
Joomla weblinks-categories Unauthenticated SQL Injection Arbitrary File Read
Joomla versions 3.2.2 and below are vulnerable to an unauthenticated SQL injection which allows an attacker to access the database or read arbitrary files as the 'mysql' user. This module will only work if the mysql user Joomla is using to access the database has the LOADFILE permission. This...
Nexpose XXE Arbitrary File Read
Nexpose v5.7.2 and prior is vulnerable to a XML External Entity attack via a number of vectors. This vulnerability can allow an attacker to a craft special XML that could read arbitrary files from the filesystem. This module exploits the vulnerability via the XML API. This module requires...
Joomla Media Manager File Upload Vulnerability
This module exploits a vulnerability found in Joomla 2.5.x up to 2.5.13, as well as 3.x up to 3.1.4 versions. The vulnerability exists in the Media Manager component, which comes by default in Joomla, allowing arbitrary file uploads, and results in arbitrary code execution. The module has been...
Open-FTPD 1.2 Arbitrary File Upload
This module exploits multiple vulnerabilities found in Open FTP server. The software contains an authentication bypass vulnerability and a arbitrary file upload vulnerability that allows a remote attacker to write arbitrary files to the file system as long as there is at least one user who has...
D-Link DIR-645 / DIR-815 diagnostic.php Command Execution
Some D-Link Routers are vulnerable to OS Command injection in the web interface. On DIR-645 versions prior 1.03 authentication isn't needed to exploit it. On version 1.03 authentication is needed in order to trigger the vulnerability, which has been fixed definitely on version 1.04. Other D-Link...